Data Protection Legislation and GDPR Impact

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions Data Protection Seminar Data Protection Seminar

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions Agenda Agenda Brief introduction to Data Protection Overview of upcoming Legislation changes Impacts of these changes on the GAA & LGFA Supports Available Questions

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions Today s Objective Today s Objective At the end of today s session it is hoped that: You will have a good understanding of the Data Protection legislation You will have a good knowledge of the General Data Protection Regulation (GDPR) You will understand how your own clubs will be impacted by the legislation You will know what tools and supports are in place to help you and what is also planned in the short term You will be sufficiently informed to understand that Data Protection is not anything to fear

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions What is Data Protection? What is Data Protection? Data Protection refers to legislation that is intended to: protect the right to privacy of individuals (all of us) ensure that Personal Data is used appropriately by organisations that may have it (Data Controllers). Personal data is any information that can be used to identify a natural person Data Subject Name Date of Birth Address Phone Number Email address Membership Number IP Address Photographs etc Some categories of information are defined as Special Categories of Personal Data and require more stringent measures of protection. These categories include: Although not listed as special categories of personal data , the following are also awarded additional protection: Religion Ethnicity Sexual orientation Trade union membership Medical information etc. Criminal Data Children s Data

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions Seven Principles of Data Protection Seven Principles of Data Protection The key objectives of Data Protection can be summarised as follows: 1. 2. 3. Lawfulness, Fairness, Transparency Purpose Limitation (Use only for one or more specified purposes) Data Minimisation (Collect only the amount of data required for the specified purpose(s)) Accuracy (Ensure data is kept up to date, accurate and complete) Storage Limitation (Kept for no longer than necessary for the specified purpose(s)) Integrity and Confidentiality (Processed ensuring appropriate security of data) Accountability (Essential not only to be compliant, but to be able to demonstrate compliance) 4. 5. 6. 7.

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions What is GDPR What is GDPR The General Data Protection Regulations (GDPR) is new EU legislation that comes into effect on May 25th 2018. It very clearly sets out the ways in which the privacy rights of every EU citizen must be protected and the ways in which a person s Personal Data can and can t be used. It places the onus on any person or entity involved in the processing of a person s information (Data Controller/Data Processor) to comply with the legislation and to demonstrate compliance It carries significant penalties for non-compliance

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions Data Controller or Data Processor? Data Controller or Data Processor? The GDPR states that a data controller determines the purposes and means of the processing whereas a data processor acts only and always on behalf of the data controller . The Club and the GAA centrally are joint controllers of member s personal data. Third parties such as Servasport, other membership system providers, messaging apps, insurance companies, online booking systems processing data on behalf of Clubs or the GAA are data processors.

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions How to comply How to comply The Data Protection Commissioner has issued a guide to compliance, consisting of 12 steps. 1. Becoming Aware 2. Becoming Accountable 3. Communication with members 4. Personal Privacy Rights 5. Subject Access Requests 6. Legal Basis 7. Consent 8. Children s Data 9. Reporting Breaches 10.Impact Assessments 11.Data Protection Officers 12.International Organisations

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions Step 1 Step 1 - - Awareness Awareness GDPR will benefit all of us, it will ensure that our Personal Information is protected It will also ensure that, as a Data Controller, each GAA Club, County or Provincial Board will be accountable for how it collects, uses and stores Personal Information Every Member should be aware of the changes that GDPR will bring and how that impacts them, either as a volunteer working on behalf of the club or as an individual Club Member. This awareness will also benefit all of us in our personal lives. Clubs should ensure that information relating to GDPR is made available to Committee Members, Club Members, Coaches, Volunteers or anyone who is in anyway involved with the Club. Information regarding Data Protection can be found on the GAA website http://www.gaa.ie/dataprotection

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions Step 2 Step 2 - - Become Accountable Become Accountable It is imperative that each GAA Club understands exactly what Personal Information it holds and how it uses it To ensure that this is clear, it is important that every club makes an inventory of the personal data that it holds and the processing activities undertaken This Inventory or Processing activities log should examine data under the following headings: Why is it being held? How was it obtained? Why was it originally gathered How long is it being retained for? How secure is it? Is it shared with any third parties? Where is it stored?

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions Step 2 Step 2 - - Become Accountable Become Accountable All registered members information is stored on the GAA s central Games Management System (Servasport) and responsibility for this information is jointly held by the GAA centrally. Other systems may be in use in Clubs and most of the third party providers of these kinds of systems (online registration, text messaging, fundraising) will be well aware of GDPR and will be able to advise on how they are ensuring compliance. Providers of third party systems should be contacted to verify that they are in compliance with GDPR. Ensure all third party relationships are governed by a contract/other legally binding instrument to include penalties for non- compliance.

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions Step 2 Step 2 - - Become Accountable Become Accountable Other likely categories of Personal Information held by GAA Clubs will include Information required for Garda Vetting (Note: The Data Protection Commissioner has advised a timeline of one year maximum for storage of all Garda Vetting information, including identity documentation. After one year, it should be securely deleted.) C l Camp or other training camp applications Text or messaging systems Email lists or distribution groups Teamsheets, training attendance lists Information captured on club websites There may also be others, depending on individual clubs, and it is important that each club has a record of all of the Personal Data that it controls .

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions Step 3 Step 3 - - Clear Communication Clear Communication It is required that individuals are aware of certain information before their data is obtained. Existing membership forms, and other forms used to collect data (e.g. Garda Vetting, Websites, etc.) must be updated to specifically tell individuals the following: The Club s identity The reasons for collecting the information The uses it will be put to Who it will be shared with If its going to be transferred outside the EU The legal basis for processing the information How long it will be retained for The right of members to complain Whether it will be used for automated decision making Other specific personal privacy rights relevant under GDPR

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions Step 4 Step 4 Personal Privacy Rights Personal Privacy Rights GDPR enshrines certain rights for individuals that must be supported by every Data Controller, including GAA Clubs. These rights include: Subject Access To have inaccuracies corrected To have information erased To object to direct marketing To restrict processing of their information including automated decision making Data portability - Ability to receive all of their information in a standard format to move to another provider (more relevant for switching banks or utility providers than GAA Clubs but must be supported)

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions Step 5 Step 5 - - Subject Access Requests Subject Access Requests Under Data Protection, a person has always had the right to request access to all of the information held about them This is called a Subject Access Request (SAR) Subject Access Requests must be completed within one month free of charge Holding an accurate inventory of information will be a key enabler for completing SAR efficiently Data has to be provided in a standard format The person must also be informed of further information, including the relevant Retention Periods for the data held and their right to have inaccuracies corrected

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions Step 6 Step 6 - - Legal Basis for Data Processing Legal Basis for Data Processing Processing of Personal Information can only occur when there is a legal basis for carrying it out. Legal Basis can be established where one of the following applies: The person has given explicit consent Necessary for performance of a contract Compliance with a Legal Obligation To protect the vital interests of the person A task carried out in the public interest For the legitimate interests of the data controller The legal basis for processing should be recorded

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions Step 7 Step 7 - - Obtain & Manage Consent Obtain & Manage Consent Individuals must be informed of what their data is going to be used for, who will have access to it, where it will be stored and how long it will be held for. They must give their consent for their data to be used. Consent must be freely given, specific, informed and unambiguous . Members cannot be forced into consent or unaware that they are giving consent. Obtaining consent requires a positive indication of agreement it cannot be inferred through silence (not objecting), pre-ticked boxes or inactivity.

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions Step 7 Step 7 - - Obtain & Manage Consent Obtain & Manage Consent Consent must be refreshed It cannot be deemed as indefinite Consent must also be verifiable Data Controllers must be able to demonstrate that consent was given and an audit trail should be maintained Legal Basis can be used to process information in the absence of consent in certain, very specific, circumstances It must be easily possible for a person to withdraw their consent

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions Step 8 Step 8 - - Children s Data Children s Data Under GDPR, children are not permitted to give consent for Data Processing A child s Parent or Guardian must give consent on their behalf Procedures must be in place to verify individual s ages (for juveniles) Existing GAA policy relating to Juvenile members already supports this legislative requirement

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions Step 9 Step 9 - - Report Data Breaches Report Data Breaches If unauthorised access to Personal Data occurs or Personal Data is lost or stolen, this must be notified to the Data Protection Commissioner within 72 hours of being identified. This is a requirement for all paper information and all electronic information (unless the data is encrypted or anonymised). If the breach is likely to cause harm to the individual (Identity Theft or breach of confidentiality) then the individual must also be informed. A procedure to detect, report and investigate data breaches should be in place. It is imperative that Data Breaches or possible Data Breaches are not ignored in the hope that no one will notice, they must be investigated and reported if appropriate to do so. Advice on data protection queries can be obtained on the gaa website http://www.gaa.ie/dataprotection or by emailing dataprotection@gaa.ie.

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions Step 10 Step 10 Data Protection Impact Assessments Data Protection Impact Assessments GDPR seeks to ensure that all significant new processes, initiatives or projects undertaken consider and ensure GDPR compliance The concept of Privacy by Design and by Default is a key theme within GDPR This requires that a Data Protection Impact Assessment must be undertaken to understand the potential impact of that project / initiative on the privacy of individuals prior to the processing taking place GAA Clubs that are considering projects with high risk processing (i.e. new technology) or installing CCTV should conduct a Data Privacy Impact Assessment A Data Privacy Impact Assessment can be conducted by meeting relevant stakeholders, identifying potential privacy issues and agreeing ways to mitigate the risk of issues occurring Data Protection Impact Assessments must be documented and retained

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions Step 11 Step 11 - - Data Protection Officers Data Protection Officers Every GAA Club should identify someone to coordinate their approach to meeting their Data Protection obligations This will involve identifying and recording the specific locations where data is held in each club, ensuring that access to the data is controlled, ensuring that consent is obtained in the appropriate manner and maintained accordingly The GAA centrally will have expertise available for any Data Protection queries that require additional / legal advice. Queries of this nature can be submitted to dataprotection@gaa.ie

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions 12 12 - - International Organisations International Organisations GDPR includes a one-stop shop provision for Organisations that operate in more than one jurisdiction A Lead Supervisory Authority can be nominated For the GAA this will be the Data Protection Commissioner, based in Portlaoise

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions GDPR Timelines GDPR Timelines GDPR is coming into effect on May 25th 2018 All data processing from that date will legally be required to comply with GDPR. There are consultations and working groups on-going within the EU and Member States to produce guidance on certain elements of the regulations. Recital 171 of GDPR makes allowance to bring non-GDPR processing already underway into compliance within 2 years. If consent was already obtained in a manner consistent with GDPR, it is not necessary to obtain consent again (immediately after May 25th).

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions Impacts on the GAA Impacts on the GAA GDPR places responsibilities on GAA units to comply and to demonstrate compliance Consent needs to be obtained and refreshed regularly Privacy statements need to be updated Information needs to be protected and accurate Specific locations of information must be known Subject Access Requests must be facilitated (1 month) Breaches must be reported within 72 hours Privacy by design and by default must be adopted New procedures must be implemented to enable the above throughout the lifecycle of the data

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions Information Life Cycle Information Life Cycle The diagram below illustrates four main stages in the life cycle of information Capture 1. Capture Obtain and record information 2. Store Save the information electronically or in paper format 3. Use Use or reuse information 4. Destroy Delete, erase or shred information Destroy Store Use

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions GDPR Information Life Cycle GDPR Information Life Cycle Under GDPR, the information life cycle will remain broadly the same, however there are additional factors to be considered at each stage Capture 1. What you are allowed to capture 2. How you may do so 3. What you must tell the person in advance 4. What you must get from them (their permission) Store 1. How you must store it 2. Where it can be stored 3. Obligations of third parties 4. What happens if you lose it Use 1. What you can use it for 2. What you can t use it for Destroy 1. How long you can keep it for 2. When you must destroy information Capture Destroy Store Use

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions GDPR Information Life Cycle GDPR Information Life Cycle Capturing Information under GDPR 1. Data Minimisation (Only ask for what is needed) 2. Privacy Notices (Clearly inform what, why, who and where) 3. Data Subject Rights (state the persons rights under the legislation) 4. Obtain Consent (consent must be freely given and explicit for the purpose or purposes) Capture Destroy Store Use

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions GDPR Information Life Cycle GDPR Information Life Cycle Storing Information under GDPR 1. Safe and Secure (Information must be stored appropriately e.g. locked cabinets/password protected files) 2. Restricted Access (Only authorised persons should have access to it) 3. Data Inventory (Information captured should be recorded) 4. Subject Access Requests (Must be in a position to provide ALL information held) 5. Contracts with Data Processors (Any third parties must have GDPR contracts in place) 6. Data Breaches (Processes to detect, report and investigate Data Breaches must be in place) Capture Destroy Store Use

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions GDPR Information Life Cycle GDPR Information Life Cycle Use of Information under GDPR 1. Appropriate use (Must be for the purpose(s) originally stated) 2. Consent (Must have person s consent or a lawful basis for processing it) 3. Manage Consent (Individuals have the right to revoke consent for part or all of the processing, this must be managed) 4. Restricted (Profiling or automated decision making are restricted) 5. International Transfers (Any processing that occurs outside EU must have been communicated to person at time of data capture and must have additional safeguards in place) Capture Destroy Store Use

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions GDPR Information Life Cycle GDPR Information Life Cycle Destruction of Information under GDPR 1. Retention Period (Retention periods must be documented and justified and data must be destroyed after its useful retention period has expired). 2. Right to erasure (Must be erased upon request from person) 3. Portability (Must be provided in standard format) 4. Third Party Copies (All copies of information must be deleted including those held by third parties. Systems like Whatsapp can be an issue here due to the lack of control over the personal data held within it.) Capture Destroy Store Use

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions GDPR Information Life Cycle GDPR Information Life Cycle There is a fifth step required under GDPR, that is the needed to ensure Privacy by Design through upfront assessment of relevant projects 1. Data Protection by Design and by Default (All relevant projects or initiatives must consider impacts on privacy from the outset) 2. Data Protection Impact Assessment (DPIA) (Must be conducted for new technology, profiling, large scale processing, or engagement of a new third party data processor) 3. Documentation (Decisions and rationale for decisions around Data Protection should be documented) Assess Destroy Capture Use Store

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions Summary of GDPR Information Life Cycle Summary of GDPR Information Life Cycle Data Protection by Design and by Default Data Protection Impact Assessment (DPIA) Documentation Assess Data Minimisation Privacy Notices Privacy Rights Obtain Consent Retention Period Right to erasure Portability Third Party copies Destroy Capture Use Store Safe and Secure Restricted Access Data Inventory Subject Access Requests Contracts with Data Processors Data breaches Appropriate use Consent Manage Consent Restricted International Transfers

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions GDPR Practical Example GDPR Practical Example St Mary s GAA Club has a new Sports Hall and Astro Pitch and wishes to make it available for hire They intend to use an on-line form to allow the public to reserve the hall or astro pitch Payments won t be accepted on-line, cash will be collected on arrival A committee has been setup to run the facilities and to ensure lights / showers etc are available Committee members will require contact information for those who make bookings in case there are any last minute changes

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions GDPR Practical Example GDPR Practical Example The first step for St Mary s is to Assess the project from a GDPR point of view This project does involve capturing personal information therefore a Data Protection Impact Assessment should be conducted It should include: a description of the envisaged processing operations and the purposes of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the purposes; an assessment of the risks to the rights and freedoms of data subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance This process should be documented

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions Data Protection Impact Assessment Process Data Protection Impact Assessment Process 1. Description of Envisaged Processing 2. Assessment of Necessity and Proportionality 7. Monitoring & Review 3. Measures Envisaged to Demonstrate Compliance 6. Documentation 5. Measures Envisaged to Address the Risks 4. Assessment of the Risks to Rights and Freedoms

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions GDPR Practical Example GDPR Practical Example St Mary s needs to consider the information intended to be captured and the privacy information provided The amount of data requested should be minimal, restricted to what is needed to process a booking The Privacy Notices must clearly inform the person of The club s identify and contact details; The purpose for which its being collected processing a pitch booking Who it will be shared with in this case the committee and Online Bookings Limited. Where the data is stored and who has access to it The name and contact information of the on-line provider How long it will be held for Their privacy rights including withdrawing consent and right to object to processing or complain to the Data Protection Commissioner

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions Sample Privacy Notice Sample Privacy Notice

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions Sample Privacy Notice (cont.) Sample Privacy Notice (cont.)

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions GDPR Practical Example GDPR Practical Example Careful attention needs to be paid to how consent is obtained. The request for consent must be clearly explained and freely given It cannot be bundled i.e. it cannot include I consent to having my data processed for the purpose of administering my booking and I consent to marketing mails from our sponsors A positive indication of consent must be obtained Tick a box (Never untick a box to withdraw consent) It must be clear that they can withdraw consent at any time and this must be managed i.e. if they withdraw consent, St. Mary s must stop processing their data.

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions Sample Online Consent Sample Online Consent

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions GDPR Practical Example GDPR Practical Example Storing of personal information after it has been captured must be carefully planned and controlled. The controls in place for restricted access must be understood & documented The categories of data captured should be added to the Clubs log of processing activities (personal data inventory). A process to manage Subject Access Requests should be in place Contracts with the on-line provider must cater for GDPR requirements A process to monitor and report data breaches must be in place The retention period must be agreed, implemented, documented and justified.

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions Sample Log of Data Processing Activities Sample Log of Data Processing Activities Item Description Data Subject The individual who's data is processed i.e. Club Member Data File/ System Form or system that the data is collected on Identifiable Fields List of the Personal Data Items collected Are there any special categories collected? (Religion, Ethnicity, Sexual Orientation, Trade Union Membership, Medical Information etc) Children's Data / Criminal Convictions Is there Children's Data or Garda Vetting Data included Collected From Who provided the information Method The method in which the data was collected Purpose for Processing The purpose for collecting it Legal Basis for Processing The Legal basis for processing it Point of Contact The point of contact in the club (Registrar, Children's Officer etc) How and where is it stored? The locations in which the data is stored Third Party Processor Names of any third party Data Processors Shared within GAA? Is the data shared within the GAA (Croke Park, County Board, Provincial Council) Transfer outside EEA - If yes, add details of safeguards Is the data transferred outside Europe Retention Period How long is it held for Disposal Technique How the data is destroyed Accessible By Who within the club has access to it How is the data protected? (Password Protection/ Locked Cabinet/ Encryption/ Data Backed Up) Special Categories Security Measures

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions Subject Access Request (SAR) Process Must be completed in One Month Typical process for GAA clubs to manage Subject Access Requests from members Individual All information received Initiate SAR Individual informed Documented Update SAR record with reasons why unfounded, date & time Update SAR Record with all information shared and date & time SAR Record of Name of individual and date received record Inform individual that SAR is rejected, reasons why and their right to object to DPC and record date & time Request that SAR is submitted in writing (electronically or paper) GAA Club Y N Consult Data Inventory to identify all locations of data relevant Extract copies of all electronic data in excel, PDF, Word format Collate all information and provide to individual Y Acknowledge receipt of SAR and record date & time Locate all paper documents and create copies N Subject Access Request Received Is it a Written Request? Is the SAR unfounded? Data Protection Officer Consult with GAA Data Protection Officer in Croke Park Croke Park

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions Data Breach Process Notification to DPC (if necessary) must be completed within 72 hours Typical process for GAA clubs to evaluate and report Data Breaches Individual Individual informed Complaint Raised Individual informed Y GAA Club Club Becomes aware of potential Data Breach Risk Assessment Conducted Is there a risk to Rights? Is there a High Risk to Rights? Club informed of outcome of investigation Club completes relevant actions instructed by DPC Investigation and actions complete Breach Identified Y N N Documentation Document Date & Time of incident & identification of incident Document Reason why its not a High Risk Update record with outcome and actions taken Record Document Reason why its not a Risk GAA Data Protection Officer (DPO) GAA DPO assists club in resolution GAA DPO Consulted GAA DPO informed Commissioner (ODPC) Office of Data Protection Office of DPC Conducts investgation Office of DPC informed

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions GDPR Practical Example GDPR Practical Example How the data is used must also comply with the Regulations It can only be used for the purposes for which it was originally captured in this case managing the hall or pitch booking The information must be kept up to date in this example it is unlikely that any meaningful change to data will occur during its lifecycle Consent must be maintained and updated It is unlikely that, in this example there will be automated processing or decision making or international transfers

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions GDPR Practical Example GDPR Practical Example Data must be destroyed once it has passed its retention period or upon request from the individual. Remember, all copies (hard and soft copy) must be destroyed including any backup copies held by the provider or third parties. For Pitch Bookings, it is unlikely that the data is needed after the booking has been completed and retention periods should reflect this. It is possible to maintain summary information for statistical purposes but this shouldn t include name or contact information. Initials and the purpose for the booking should suffice. If there are repeat bookings, it would be permissible to retain the information for longer periods this would need to have been communicated to the individual when giving their consent. It is unlikely that, in this example, data portability would be a factor.

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions Checklist of things to do Checklist of things to do Ensure Awareness within club Ensure Privacy by Design & Default Create Inventory of Data Processing Activities Review Access to Personal Information Evaluate who has access to personal data on the GMS (Servasport) and ensure they are authorised. Implement leavers process for all outgoing users. Evaluate any other systems that hold member information for appropriate access Never share passwords or logon details Ensure any third parties have provided assurance on GDPR compliance and appropriate legal agreements are in place. Ensure Paper Forms are stored in known and safe locations and are securely locked. Ensure any Laptops holding data are encrypted Ensure any spreadsheets and other documents are password protected Ensure Subject Access Request and Data Breach processes are in place Ensure documentation is in place Ensure BCC Function on email is used Leverage OneDrive as a mechanism to keep electronic data secure

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions Supports Available Supports Available The GAA Centrally will provide Access to Data Protection Officer GDPR compliant processes (SAR, Data Breaches) GDPR compliant templates (Privacy Notices, Obtaining Consent, Data Privacy Impact Assessment) Tools to support compliance GAA Membership App OneDrive and Office365 Training & Awareness for all levels of the GAA Seminars in Croke Park On-line training module (http://learning.gaa.ie/courses/dataprotection) Reference Documentation on the GAA Website (http://www.gaa.ie/dataprotection) Updates in Club Newsletter

Introduction Introduction Background Background GDPR GDPR Impact on us Impact on us Practical Example Practical Example Supports Available Supports Available Questions Questions GAA Management System ( GAA Management System (Servasport Servasport) ) Updates to GAA Management System to support GDPR Mobile Application to support Registration (Personal Information Secure, accurate up to date) Payments Communications (Consent) Reduction in paper records